Hi, I've written a kerberized application that uses the MIT Kerberos libraries to obtain tickets from a Microsoft KDC. I'm using version 1.2.5 of the libraries for this application, and it's worked just fine until recently. Now, all of a sudden, tickets are apparently being returned from the Authentication Server with their expiration time set to 0 (Jan 1, 1970, 00:00). When these tickets are re-presented to the TGT to obtain service tickets for the application, the KDC replies with KRB5KRB_AP_ERR_TKT_EXPIRED. I have a packet trace between my host, and the KDC, which looks roughly like this: 1 AS-REQ (Client: HOST/SERVER01, Server: krbtgt/SERVER.DOMAIN.COM) 2 AS-REP (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN) 3 AS-REQ (Client: username, Server:krbtgt/SERVER.DOMAIN.COM) 4 AS-REP (Success, ticket returned) 5 TGS-REQ (Server: ldap/dc1/SERVER.DOMAIN.COM) 6 TGS-REP (KRB4REP_AP_ERR_TKT_EXPIRED) Although I can't decrypt the ticket returned in 4 from the packet trace, my suspicion is that the expiration time returned by the KDC in that ticket is set to "0". I confirmed this by listing the ticket cache with klist: Valid starting Expires Service principal 08/18/05 12:29:49 12/31/69 16:00:00 krbtgt/SERVER.DOMAIN.COM@SERVER.DOMAIN.COM (This host is set to PST, so the expiration time makes sense if I take into account the 8 hour difference between it and GMT). I do not have access the KDC to determine whether there are registry settings that may be affecting the tickets returned by the KDC, however, I have asked to have those settings reported back to me. My suspicion was that the Kerberos policy on the KDC was modified. One of the settings listed at the link below allows the administrator to set the default user and service ticket lifetimes to something other than 10 hours. Setting this value to 0 is supposed to make the ticket good for eternity. This seemed reasonable so I tried modifying the default service ticket lifetime on my test KDC, to see how this affected tickets retrieved by kinit. What I found was that it didn't seem to affect tickets returned by kinit. Regardless of the setting on the KDC, the client gets tickets which are valid for 10 hours. The only way to affect the ticket lifetime seems to be to specify a shorter timeout period to kinit via the "-l" option. (Specifying longer timeouts does not result in lifetimes appreciably longer than 10 hours -- I believe this is a known bug with the libraries at v 1.2.5). http://www.windowsitpro.com/Article/ArticleID/15313/15313.html Does anyone have any suggestions as to how to diagnose this problem? I've tried everything I can think of. I searched through the archives and the only reference to the error reported above that I could find doesn't seem relevant: http://mailman.mit.edu/pipermail/krb5-bugs/2004-January/002141.html Thanks for help and suggestions. Eric Steadle -- _______________________________________________ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10